Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Ware, Ryan R <ryan.r.ware-ral2JQCrhuEAvxtiuMwx3w <at> public.gmane.org>
Subject: [MeeGo-SA-10:39.firefox] Multiple Vulnerabilities in Firefox
Newsgroups: gmane.comp.handhelds.meego.security.announce
Date: Thursday 20th January 2011 23:40:41 UTC (over 5 years ago)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
MeeGo-SA-10:39.firefox                                      Security
Advisory
                                                                MeeGo
Project

Topic:          Multiple Vulnerabilities in Firefox

Category:       Browser
Module:         firefox
Announced:      October 9, 2010
Affects:        MeeGo 1.0
Corrected:      October 9, 2010
MeeGo BID:      6910, 6911, 6924, 6925, 6926, 6927, 6928, 6929, 6931,
6933, 6934, 6935, 6936, 6937, 6938 & 6939
CVE:            CVE-2010-3171, CVE-2010-3399, CVE-2010-3169,
CVE-2010-2765, CVE-2010-2767, CVE-2010-3131, CVE-2010-3166,
CVE-2010-2760, CVE-2010-3168, CVE-2010-3167, CVE-2010-2766,
CVE-2010-2770, CVE-2010-2762, CVE-2010-2768, CVE-2010-2769 &
CVE-2010-2764


For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit http://www.MeeGo.com/>.

I.   Background

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance and portability.

II.  Problem Description

CVE-2010-3171: The Math.random function in the JavaScript
implementation in Mozilla Firefox 3.5.10 through 3.5.11, 3.6.4 through
3.6.8, and 4.0 Beta1 uses a random number generator that is seeded
only once per document object, which makes it easier for remote
attackers to track a user, or trick a user into acting upon a spoofed
pop-up message, by calculating the seed value, related to a "temporary
footprint" and an "in-session phishing attack." NOTE: this
vulnerability exists because of an incorrect fix for CVE-2008-5913.
CVSS v2 Base: 5.8 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-3399: The js_InitRandom function in the JavaScript
implementation in Mozilla Firefox 3.5.10 through 3.5.11, 3.6.4 through
3.6.8, and 4.0 Beta1 uses a context pointer in conjunction with its
successor pointer for seeding of a random number generator, which
makes it easier for remote attackers to guess the seed value via a
brute-force attack, a different vulnerability than CVE-2010-3171.
CVSS v2 Base: 5.8 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-3169: Multiple unspecified vulnerabilities in the browser
engine in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9,
Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before
2.0.7 allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute arbitrary code
via unknown vectors.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2765: Integer overflow in the FRAMESET element implementation
in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird
before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 might
allow remote attackers to execute arbitrary code via a large number of
values in the cols (aka columns) attribute, leading to a heap-based
buffer overflow.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2767: The navigator.plugins implementation in Mozilla Firefox
before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and
3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly
handle destruction of the DOM plugin array, which might allow remote
attackers to cause a denial of service (application crash) or execute
arbitrary code via crafted access to the navigator object, related to
a "dangling pointer vulnerability."
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-3131: Untrusted search path vulnerability in Mozilla Firefox
before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and
3.1.x before 3.1.3, and SeaMonkey before 2.0.7 on Windows XP allows
local users, and possibly remote attackers, to execute arbitrary code
and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that
is located in the same folder as a .htm, .html, .jtx, .mfp, or .eml
file.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-3166: Heap-based buffer overflow in the
nsTextFrameUtils::TransformText function in Mozilla Firefox before
3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and 3.1.x
before 3.1.3, and SeaMonkey before 2.0.7 might allow remote attackers
to execute arbitrary code via a bidirectional text run.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2760: Use-after-free vulnerability in the nsTreeSelection
function in Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9,
Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before
2.0.7 might allow remote attackers to execute arbitrary code via
vectors involving a XUL tree selection, related to a "dangling pointer
vulnerability." NOTE: this issue exists because of an incomplete fix
for CVE-2010-2753.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-3168: Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9,
Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before
2.0.7 do not properly restrict the role of property changes in
triggering XUL tree removal, which allows remote attackers to cause a
denial of service (deleted memory access and application crash) or
possibly execute arbitrary code by setting unspecified properties.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-3167: The nsTreeContentView function in Mozilla Firefox
before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and
3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly
handle node removal in XUL trees, which allows remote attackers to
execute arbitrary code via vectors involving access to deleted memory,
related to a "dangling pointer vulnerability."
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2766: The normalizeDocument function in Mozilla Firefox
before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7 and
3.1.x before 3.1.3, and SeaMonkey before 2.0.7 does not properly
handle the removal of DOM nodes during normalization, which might
allow remote attackers to execute arbitrary code via vectors involving
access to a deleted object.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2770: Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9,
Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before
2.0.7 on Mac OS X allow remote attackers to cause a denial of service
(memory corruption and application crash) or possibly execute
arbitrary code via a crafted font in a data: URL.
CVSS v2 Base: 9.3 (HIGH)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2762: The XPCSafeJSObjectWrapper class in the
SafeJSObjectWrapper (aka SJOW) implementation in Mozilla Firefox 3.6.x
before 3.6.9 and Thunderbird 3.1.x before 3.1.3 does not properly
restrict objects at the end of scope chains, which allows remote
attackers to execute arbitrary JavaScript code with chrome privileges
via vectors related to a chrome privileged object and a chain ending
in an outer object.
CVSS v2 Base: 6.8 (MEDIUM)
Access Vector: Network exploitable

CVE-2010-2768: Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9,
Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before
2.0.7 do not properly restrict use of the type attribute of an OBJECT
element to set a document's charset, which allows remote attackers to
bypass cross-site scripting (XSS) protection mechanisms via UTF-7
encoding.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2769: Cross-site scripting (XSS) vulnerability in Mozilla
Firefox before 3.5.12 and 3.6.x before 3.6.9, Thunderbird before 3.0.7
and 3.1.x before 3.1.3, and SeaMonkey before 2.0.7 allows
user-assisted remote attackers to inject arbitrary web script or HTML
via a selection that is added to a document in which the designMode
property is enabled.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

CVE-2010-2764: Mozilla Firefox before 3.5.12 and 3.6.x before 3.6.9,
Thunderbird before 3.0.7 and 3.1.x before 3.1.3, and SeaMonkey before
2.0.7 do not properly restrict read access to the statusText property
of XMLHttpRequest objects, which allows remote attackers to discover
the existence of intranet web servers via cross-origin requests.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

III. Impact

CVE-2010-3171: Unauthorized disclosure of information or modification
due to cryptographic error (CWE-310)

CVE-2010-3399: Unauthorized disclosure of information or modification
due to cryptographic error (CWE-310)

CVE-2010-3169: Unauthorized disclosure of information, modification
or disruption of service (NVD-CVE-noinfo)

CVE-2010-2765: Unauthorized disclosure of information, modification
or disruption of service due to numeric error (CWE-189)

CVE-2010-2767: Unauthorized disclosure of information, modification
or disruption of service due to resource management error (CWE-399)

CVE-2010-3131: Unauthorized disclosure of information, modification
or disruption of service due to other (NVD-CWE-Other)

CVE-2010-3166: Unauthorized disclosure of information, modification
or disruption of service due to buffer error (CWE-119)

CVE-2010-2760: Unauthorized disclosure of information, modification
or disruption of service due to resource management error (CWE-399)

CVE-2010-3168: Unauthorized disclosure of information, modification
or disruption of service due to buffer error (CWE-119)

CVE-2010-3167: Unauthorized disclosure of information, modification
or disruption of service due to resource management error (CWE-399)
and buffer error (CWE-119)

CVE-2010-2766: Unauthorized disclosure of information, modification
or disruption of service due to code injection (CWE-94)

CVE-2010-2770: Unauthorized disclosure of information, modification
or disruption of service due to buffer error (CWE-119)

CVE-2010-2762: Unauthorized disclosure of information, modification
or disruption of service due to permission, privilege or access
control error (CWE-264)

CVE-2010-2768: Unauthorized modification due to cross-site scripting
error (CWE-79)

CVE-2010-2769: Unauthorized modification due to cross-site scripting
error (CWE-79)

CVE-2010-2764: Unauthorized disclosure of information due to
permission, privilege or access control error (CWE-264)

IV.  Workaround

None

V.   Solution

Update to package firefox-3.6.10-6.1 or later.

VI.  References

http://bugs.meego.com/show_bug.cgi?id=6910
http://bugs.meego.com/show_bug.cgi?id=6911
http://bugs.meego.com/show_bug.cgi?id=6924
http://bugs.meego.com/show_bug.cgi?id=6925
http://bugs.meego.com/show_bug.cgi?id=6926
http://bugs.meego.com/show_bug.cgi?id=6927
http://bugs.meego.com/show_bug.cgi?id=6928
http://bugs.meego.com/show_bug.cgi?id=6929
http://bugs.meego.com/show_bug.cgi?id=6931
http://bugs.meego.com/show_bug.cgi?id=6933
http://bugs.meego.com/show_bug.cgi?id=6934
http://bugs.meego.com/show_bug.cgi?id=6935
http://bugs.meego.com/show_bug.cgi?id=6936
http://bugs.meego.com/show_bug.cgi?id=6937
http://bugs.meego.com/show_bug.cgi?id=6938
http://bugs.meego.com/show_bug.cgi?id=6939
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3171
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3399
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3169
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2765
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2767
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3131
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3166
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2760
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3168
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3167
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2766
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2770
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2762
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2768
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2769
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2764
https://nvd.nist.gov/cwe.cfm#NVD-CWE-noinfo
https://nvd.nist.gov/cwe.cfm#NVD-CWE-Other
http://cwe.mitre.org/data/definitions/79.html
http://cwe.mitre.org/data/definitions/94.html
http://cwe.mitre.org/data/definitions/119.html
http://cwe.mitre.org/data/definitions/189.html
http://cwe.mitre.org/data/definitions/264.html
http://cwe.mitre.org/data/definitions/310.html
http://cwe.mitre.org/data/definitions/399.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (Darwin)

iQEcBAEBAgAGBQJNOMRsAAoJEEsJm1wYvCMbC0EIAJ2P4enxa8sM8SZjJJxY4Cmn
Q1NO4InAeeZLR+vhJnoB71FqeabwK47E5xJ0yq6mV3+LOolj3aSa36ElIA44iiYT
MsLkdnQZ6Z0zI8q4QQrq44sjhDeQVpeZ7KB1mkuHbrsKwvX0voC0vZhMkkITbK6H
Uytqg7uovL1tGvut7SX911iFL6ZaDBmrAHhgPGR5BPBk8+6XiEdUkD5/7KHIPRu3
2qMd53yi6clzxkHLKMlmCctNUJnY5NL/RmaXLUBsPawOkwNyv/CssR6qzNeptt0W
RAtp6EX8NZ3T6CwQIRn/6Rmi5HPEIThXfw3JO/ZkbU8K+reDMqbXS3GktzTf2cM=
=blER
-----END PGP SIGNATURE-----
 
CD: 4ms